1

I have a small spring boot app which exposes a REST-service with two methods "/upload" (POST) and "/show" (GET)

When I run my angular 2 app on my computer, http://computer.domain.com:4200, and have the spring boot rest-service on the same computer on a different port, http://computer.domain.com:8080, the CSRF-part of angular 2 doesn't wanna send the XSRF-token with the header.

If I deploy the Angular GUI within the spring boot WAR so that both the REST and GUI is accesiable via http://computer.domain.com:8080 everything that's CSRF-related then works.

I thought that Cookies and angular were 'agnostic' when it came to what port they were sent from, as long as it originated from the same server.

Am I missing some piece of config that makes angular send CSRF-headers?

OddBeck
  • 835
  • 8
  • 19

1 Answers1

4

Cookies/browsers may be not agnostic from the port. See this question and the related answer.

The common setup is to configure angular-cli to setup a proxy.

For example if your rest endpoint start with api, you should create a proxy.conf.json

{
  "/api": {
    "target": "http://computer.domain.com:8080",
    "secure": false
  }
}

Then update your package.json start script to: 

"start": "ng serve --proxy-config proxy.conf.json",

The frontend should make its http call to http://computer.domain.com:4200/api...

Hope it helps

Community
  • 1
  • 1
Nicolas Labrot
  • 4,017
  • 25
  • 40
  • I'm gonna try to see if this works. I saw someone mention this yesterday on some post on some site, but I thought that there'd be another way. – OddBeck Apr 06 '17 at 07:41
  • 1
    I also must add that the cookie that the spring framework dished out was HttpOnly, which didn't exactly help Angular on the way.... If anyone ever reads this, make sure it's not HttpOnly. – OddBeck Apr 07 '17 at 06:06